Better Mobile App

[TUT] OEM Building

HOW To Make an OEM
Here is the tutorial for building an OEM, so, of course it can be used for any device,.
nb: try it at your own risk,.
OEM folder used as the place for any application that would be a default ROM application.
Here is step by step,.
1. Download & Install Hypercore Kitchen
2. Open Hypercore and go to panel/extra/CAB Analiser,.
3. Open or Drag and drop the .cab files that you would make it an OEM,.
4. Choose "XML" display then extract all cab files to a new folder,.
5. Go to "Registry tab", then copy all the registry setting from there, and paste to a new blank document
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
6. The registry setting is absolutely unusable, to make it usable, it must be edited like this,.
(Before edited)
REGEDIT4
[HKEY_LOCAL_MACHINE\Drivers\USB\FunctionDrivers\WM5torage_Class]
"ActivateFlags" = dword : 00000000
"DeviceName" = ""
"NLEDWrite" = dword : 0000FFFF
"NLEDRead" = dword : 0000FFFF
"idVendor" = dword : 0000045E ---------------------------------------> There is a space between "=" and "dword", its Wrong,.
"ReadOnly" = dword : 00000000
"Dll" = %CE1%\WM5torage\WM5torage.dll --------------------------> It have only one slices, its wrong,.
"Product" = "Windows Mobile Device"
(After edited)
REGEDIT4 -------------------------------------------------------------------> There must be REGEDIT4 at the TOP
[HKEY_LOCAL_MACHINE\Drivers\USB\FunctionDrivers\WM5torage_Class]
"ActivateFlags"=dword:00000000
"DeviceName"=""
"NLEDWrite"=dword:0000FFFF
"NLEDRead"=dword:0000FFFF
"idVendor"=dword:0000045E ------------------------------------------> Take a look at this, there should be no spacing inside the registry,.
"ReadOnly"=dword:00000000
"Dll"=%CE1%\\WM5torage\\WM5torage.dll -------------------------> If the keys are pointing to somewhere else, it must be two slice like this,.
"Product"="Windows Mobile Device"
--------------------------------------------------------------------------------> Leave one line empty at the BOTTOM,.
7. Generate GUID Name, (The generaor could be downloaded HERE)
8. Okay, save it in UNICODE encoding, using (Generated GUID Name).rgu
9. Make another blank document, and rename it with, (Generated GUID Name).dsm
(The generated GUID name between .rgu and .dsm must be the same)
10. Make a "initflashfiles.txt",. -------> (I give the tutorial below,.)
HOW To Make a initflashfiles.txt
initflashfiles.txt used to copy a file from specified location, to another specified location,.
Here is the step by step,.
1. Just make a new blank document
2. Save that document as initflashfiles.txt
What should you write inside initflashfiles.txt?? you should write this (below),.
The formula is:
Directory("DESTINATION FOLDER"):-File("DESIRED FILENAME","FILE SOURCE")
So, it will be like this,.
-------> Means that you want to copy the file named WM5torage.lnk in \Windows folder, to \Windows\Start Menu\Programs\System folder,.
There you go, you have one working initflashfiles.txt now,.
--- Finally, make it in one folder, and give it a name, ex: OEM_WM5torage ---
NB:
That you have to remember when you build an OEM:
a. There must be REGEDIT4 at the TOP
b. Leave one line empty at the BOTTOM
c. Dont use Wordwrap view
d. Save with (GUIDname).rgu and use UNICODE encoding
GOOD LUCK,.
Happy ROM Cooking to all of you,.
- Kumara -

I dnt know why the pictures are not showing??!!
I think this is the problem !!
When u want to put a pic , press on *insert image* and put a direct link
not IMG code or HTML code

ghostrecon2050 said:
I dnt know why the pictures are not showing??!!
I think this is the problem !!
When u want to put a pic , press on *insert image* and put a direct link
not IMG code or HTML code
Click to expand...
Click to collapse
Hi buddy, i put this picture from a direct link, it might be your internet explorer setting,.

But serialz got the same problem but in the Atom Cooking tutorial thread :
he said : "please update the pics too..it's much easy to do it with visual guide.."
May be it's our IE settings ?? I'm confused !!

ghostrecon2050 said:
But serialz got the same problem but in the Atom Cooking tutorial thread :
he said : "please update the pics too..it's much easy to do it with visual guide.."
May be it's our IE settings ?? I'm confused !!
Click to expand...
Click to collapse
Image updated, could you see the picture now??

Link Megaupload please!
Thanks

mykolor said:
Link Megaupload please!
Thanks
Click to expand...
Click to collapse
What do tou mean by link megaupload?????
BTW, could you see the picture of my post??

Garmin said:
What do tou mean by link megaupload?????
BTW, could you see the picture of my post??
Click to expand...
Click to collapse
All the picture #1 page is not showing.
I want to download your ROM by link Megaupload

Yes , Now I can see the pictures , TY Garmin <3

Hi Garmin,
Thank you for the tutorial to make OEM. wonderful!
Your tutorial is good for standalone .exe files
but if you don't mind if i ask about cabs?
I have a question about cabs files:
how to input serial number into the cabs registry for programs Cabs that has serial activation? so everytime i install it.. it doesn't need to enter serial?
for example: i need to put "modified cabs" to extended rom. so it will install by itself every time i do hard reset.
Thank you garmin.

sliders7 said:
Hi Garmin,
Thank you for the tutorial to make OEM. wonderful!
Your tutorial is good for standalone .exe files
but if you don't mind if i ask about cabs?
I have a question about cabs files:
how to input serial number into the cabs registry for programs Cabs that has serial activation? so everytime i install it.. it doesn't need to enter serial?
for example: i need to put "modified cabs" to extended rom. so it will install by itself every time i do hard reset.
Thank you garmin.
Click to expand...
Click to collapse
Every apps is different. So if don't know where a reg patch (sn. insert in registry), that's unable to create registry

Yup agreed with abusalza, every apps is different and they store their serial and reg key differently. i found some at the registry, and some on the file folder itself, some even encode them in the registry.
For me i key in the serial and search for it in the registry, den backup the key, and create cab for the registration and placing of ringtones and placing of shortcuts (for appz and games that installed on storage)
This ways saved me many hours when i will tryin to cook my own ROM or tryin out new appz

Just wanna thank Garmin for creating this thread and really helped me alot!!
thank very much bro!!!

ckaidi said:
Yup agreed with abusalza, every apps is different and they store their serial and reg key differently. i found some at the registry, and some on the file folder itself, some even encode them in the registry.
For me i key in the serial and search for it in the registry, den backup the key, and create cab for the registration and placing of ringtones and placing of shortcuts (for appz and games that installed on storage)
This ways saved me many hours when i will tryin to cook my own ROM or tryin out new appz
Click to expand...
Click to collapse
Backing up the key is one beautiful idea!
Thanks for the help!

sliders7 said:
Backing up the key is one beautiful idea!
Thanks for the help!
Click to expand...
Click to collapse
Try Settings Saviour. I haven't tried though, but it is supposed to that what you need.
@Garmin: good job!

ckaidi said:
Just wanna thank Garmin for creating this thread and really helped me alot!!
thank very much bro!!!
Click to expand...
Click to collapse
Thanks Bud,.
BTW, Sorry for not in the forum so often,.
My computer has just attacked by many variant of virusses, and it started with one of the thread here,.
Becarefull guys,. someone try to distributing a SPAM in this forum,.
Take care,.

Some appz and gamez include a setup.dll in the cab which insert reg values. Anyone know how to decode it? This will really help in building OEM
Thanks!!

ckaidi said:
Some appz and gamez include a setup.dll in the cab which insert reg values. Anyone know how to decode it? This will really help in building OEM
Thanks!!
Click to expand...
Click to collapse
hi ck..
try using ResHacker (google it),.
or try reverse mode (search it in the forum),.
gud luck,.

wrong post, sorry

HI!
when I want to copy registry values from Cabs Analyzer there is no values...
It is S2U2 Cab, and some others too...but when i opend HTC keyboard cab registry values are shown

NSS 0.47.0 Beta - Quick Install & Restore of the 710 bootloader

Hi,
New NSS beta is available for download. It will implement installing and restoring
of the bootloader as single click solution. Although the Qcom loader could be
installed via normal flashing, it is much easier this way. Also recovery is intended
to save manual hex editing or cmd line commands.
1. Download the new version
2. Extract to a folder, start the program
3. Insert the 2 loaders in \loaders\special\wp7\ - the qualcom file: RM803_12w07_prod_generic_nokia_osbl.esco,
posted by xorizont here , second file: RM803_11w48_prod_raw_nokia_osbl.bin attached (unzip first)
4. Go to Flashing->WP7 Tools
You are ready to play. Quick description:
- Read PMM button - reads the PMM partition with Nokia specific values(product
code, MAC addresses, et), you can edit in the boxes
- Write PMM button - writes back to the partition a selected value (via Update
checkbox)
Install button - use this to quickly install Qcom loader on 710(no way to load on
800 as the cert is checked)
Parse FS button - you can use this to test NSS partition parser and compare
against 3rd party tool, to make sure something catastrophically wrong will not
happen during recovery
Restore button - This will attempt to recover the Nokia production loader (so called DLOAD)
via raw NAND write into partition 2 of the connected phone. Make
sure you start in Normal mode as NSS will need to check phone type and battery
value (to make sure wrong file is not written to 800, or if the battery is critically
low)
Please keep in mind, this is a Beta version, it has been tested only on one phone
and is possible to be a major phone killer, so thread lightly. It is offered as it is,
with the hope of being useful, and I can't be held responsible for fatal results.
My best recommendation is to check the partitions after write/recovery with
3rd party tool and make sure all is ok before restarting the phone power. All this
until some recovery method is found (if somebody has found flashing routines in
SECBOOT or other loader, pls PM me).
BR, Chris

Thanks for this nice tool!
I just wanted to stress that:
- Read PMM button - reads the PMM partition with Nokia specific values(product
code, MAC addresses, et), you can edit in the boxes
- Write PMM button - writes back to the partition a selected value (via Update
checkbox)
Click to expand...
Click to collapse
Are only possible when the phone has the qualcomm loader right? Because only then it's possible to overwrite the values using the NAND access mode (Qualcomm MSD).

Hi,
Yes, only in NAND mode, on phones that have it. If you have Nokia DLOAD loader
and not hacked phone, you can only read those value via JSON call to NCSD appl.
There isn't any method coded to change them in Normal mode(at least i did not
find one yet).
BR

Bph&co said:
Hi,
Yes, only in NAND mode, on phones that have it. If you have Nokia DLOAD loader
and not hacked phone, you can only read those value via JSON call to NCSD appl.
There isn't any method coded to change them in Normal mode(at least i did not
find one yet).
BR
Click to expand...
Click to collapse
It's good to see there is now a userfriendly way of doing stuff like this. Thanks again

now all we need is a tool to write an .nb file with one click. can one do it?

mariosraptor said:
now all we need is a tool to write an .nb file with one click. can one do it?
Click to expand...
Click to collapse
To be honest i have no idea how that exactly works - is there a need for a file
system parser and proper replacing of a file, or just writting to a const location
in the last partition.
The mount never worked on my Ubuntu install(and i am complete Linux newbie).

Bph&co said:
To be honest i have no idea how that exactly works - is there a need for a file
system parser and proper replacing of a file, or just writting to a const location
in the last partition.
The mount never worked on my Ubuntu install(and i am complete Linux newbie).
Click to expand...
Click to collapse
Thanks God. there is someone else like me in linux.( humor, no offense ofcourse ;-) )
mate i have no idea how it works. nobody wants to write a very accurate tutorial.
not being able to flash the custom rom was the reason that i reverted my bootloader.

To unlock bootloader I used to NCS and firmware posted by xorizont. So how make connection under Windows7 before flash xorizont's firmware if Nokia is in DLOAD mode?

this is very helpfull for many people to get to qulcomm on 710!
+1

So You are able to load Qualcomm B. via NSS even if on the moment I have got DLOAD?

Hi,
New Beta - 0.47.1 - with ability to write moded OS files(.nb).
OS File button - select .nb file
Write OS button - loads the file onto the last partition (change to OSBL mode first)
As with the previous beta - make sure you check the partion parser for errors.
Write will be verified, but not the exact write address, so maybe good to have a
look with WinHex before restarting the phone.
BR

Already a new version, you're working hard man! ;-)
So if i understand correctly, you have automated the process of 'block writing' (which without this tool requires using dd) the created custom roms to the correct partition on the Lumia?
Of course this requires Qualcomm bootloader; for the 710 your tool can load this even if the phone currently has the newer Nokia DLOAD.

Hi,
Yes, i work even in my sleep Right now killing myself with the baseband diss, but
decided to have a break and make this.
It seems the OsBuilder creates raw partition image, to fit exactly into the OS part
of the NAND chip. So all i do is open the usb device as physical disk, parse the
partition structure and do a low level read/write to absolute addresses.
Yes, it is mostly for 710, but write OS function should be working for 800 with
Qcom loader too, just can't test it as i don't have such phone.
Also the Install/Recovery should work forever on a 710, unless Nokia/MS release
some updated bootloader that somehow prevents loading of the signed Qcom
loader and the user does a full flash (or via sneak Zune update) and overwrite
the current DLOAD loader.
BR

Bph&co said:
Hi,
New Beta - 0.47.1 - with ability to write moded OS files(.nb).
OS File button - select .nb file
Write OS button - loads the file onto the last partition (change to OSBL mode first)
oh man you are a superstar. you did what i said it was missing. no more (hopefully) screwd phones.
@Mods please make this sticky.
Click to expand...
Click to collapse

Amazing tool!
I just used it to load Full Unlock Image for Lumia 710 by lucifer3006!
No more linux stuff needed, this is great and almost one-click windows solution!
Thank you!

When we talking about copy moded nb file into partition You mean sdx9 is default partition?

Hi,
The sdb thingi is something from Linux. On low level there are 4 primary partitions
in MBR, all the rest are logical, so the last entry in MBR points to the first logical one,
that for itself contains primary part and next one is logical as well. The last entry
in this linked list is the OS partition.
BR

1. OK I went through this. Tell me please how is possible to unlock bootloader if Lumia is in DLOAD mode? NSS can't reconized WP in this mode.
2. In case of relocking bootloader did I need copy Your specific RM803_11w48_prod_raw_nokia_osbl.bin or download an from navifirm?

I hope it's add backup and restore the "DPP.BIN" function!
like this!
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Thank you very much!

djtonka said:
1. OK I went through this. Tell me please how is possible to unlock bootloader if Lumia is in DLOAD mode? NSS can't reconized WP in this mode.
2. In case of relocking bootloader did I need copy Your specific RM803_11w48_prod_raw_nokia_osbl.bin or download an from navifirm?
Click to expand...
Click to collapse
Hi,
1 - Maybe you have Zune running and NSS can't open the port ? Use the kill Zune
services option in NSS please
2 - Yes this specific loader is needed (its extract from an original file) and is hash
checked before writting to the second partition to prevent dead phones
BR

[WIP]LOGO.bin File Format and Modding

I haven't had enough to get a One now, but I'm pretty interested in the phone. Yesterday I saw a thread on Chinese forum, saying that LOGO.bin contains the image shown in fastboot mode, and thus everyone can choose his preferred image (like CM's) even if he uses ColorOS. So I tried to extract the bitmap from LOGO.bin and replace it with my own picture.
Now I've succeed PARTIALLY in identifying the BIN file format and extracting the images. There's no enough time to dig into replacing the pictures though, but I think it won't be hard.
Here is what I find, for those "aggressive" themers and ROM devs who want custom boot splash screen:
The BIN file starts with the following structure:
C:
struct SPLASHHEADERINDEX {
char magic_code[8]; // = { 'S', 'P', 'L', 'A', 'S', 'H', '!', '!' };
int img_width;
int img_height;
int reserved; // What's this? I haven't figured that out.
int img_offset[6];
char padding[468]; // The header is 512 bytes. Thanks [user=5757424]@chillstep1998[/user] !
};
Right after this structure, the raw data of boot splash image begins. Every pixel is described by 3 bytes in B-G-R order. The pixels begin at the upper left corner and then stored in the order of left to right & up to down. You can read (img_width * img_height * 3) bytes and write them into a BMP file. NOTE that BMP files require 4-pixel alignment for every horizontal row (Google that for details, otherwise you will get a "Broken image" info in image viewers) In order to avoid this problem, I wrote a simple program in VB.NET and used Bitmap.SetPixel and Bitmap.Save to solve it.
This is the VB code for this procedure. (I can't do GUI programs in C++...)
Code:
Dim bmp As New Bitmap(img_width, img_height)
Dim color As Color
For y = 0 To img_height - 1
For x = 0 To img_width - 1
b = fs.ReadByte 'fs is the FileStream of BIN file. Already sought to correct offset.
g = fs.ReadByte
r = fs.ReadByte
If b = -1 Then b = 0
If g = -1 Then g = 0
If r = -1 Then r = 0
color = color.FromArgb(r, g, b)
bmp.SetPixel(x, y, color)
Next
Next
There are some zeros after (img_width * img_height * 3) bytes. I don't know what's for...
Then let's look at the other images. Their offsets are in the img_offset array of SPLASHHEADERINDEX. They have headers like this:
C:
struct SPLASHHEADERNONINDEX {
char magic_code[8]; // "SPLASH!!" without \0
int img_width;
int img_height;
int reserved; //Still don't know
char padding[492];
};
Right after the structure is the raw data. Process that as mentioned above.
The image at img_offset[0] is the one shown in fastboot mode
[1] is AT current test (original Chinese: AT电流测试. What's AT?)
[2] is RF test
[3] is WLAN test
[4] is charging
[5] is low battery warning
Previews for new images are coming soon...
However: there is one bug: the images extracted are "mis-placed". You need to move 0x0 to 164xHEIGHT (163xHEIGHT maybe) area to the right side of the image to get the correct pic. The images extracted from ColorOS' LOGO.bin are listed as follows:
SPOILER:
[0]
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
[1]
[2]
[3]
[4]
[5]
Boot splash
Does anyone know the cause of this mis-place problem? Although that can be solved easily in the code, but it's not very reliable. Maybe it's related to the "reserved" member?
Since the format is rather simple, modding and repacking will be easy. When I get some free time I'll make a tool for this...

still dangerous. We don't know whether there's logo signiture check, even if we know how to make a logo.bin.
But good job!

dlhxr said:
still dangerous. We don't know whether there's logo signiture check, even if we know how to make a logo.bin.
But good job!
Click to expand...
Click to collapse
Can't come up with any reason why there should be signature check for logo, especially when we can use home-made modem fimwares and kernels without any problem... But it's worth considering since there's "reserved" member. ColorOS gets 0x00 0x00 0x00 0x00 and CM 0x00 0x00 0x00 0x01 in boot splash's "reserved" int. Haven't checked other 6 images though.

We already know how to make our own logo.bin...there's a thread in the "Themes and Apps" section.

treChoy said:
We already know how to make our own logo.bin...there's a thread in the "Themes and Apps" section.
Click to expand...
Click to collapse
Wow I didn't notice it before... This thread is revealing secrets of the magic and pushing it further
But he says the header is 512 bytes, which is different from what I've found. I will take a look. However, since there are pics as small as ~300*30, skipping 512bytes may cause visible loss of the content. Maybe that's for splash screen only.

updateing said:
Wow I didn't notice it before... This thread is revealing secrets of the magic.
But he says the header is 512 bytes, which is different from what I've found. I will take a look. However, since there are pics as small as ~300*30, skipping 512bytes may cause visible loss of the content. Maybe that's for splash screen only.
Click to expand...
Click to collapse
As far as they've discovered on the thread, they've only really uncovered the workings of the splash screen. We know that fastboot is also affected by the LOGO partition, but we don't know how that ties in with the bootloader. The ColorOS LOGO.bin displays, "已進人fastboot..." when in fastboot mode, and the International LOGO.bin displays "Fastboot Mode" with the Cyanogen mascot.
One thing is for certain though: this is DANGEROUS. There's a very good possibility of bricking because of the LOGO partition's relationship with the bootloader. I was talking to another developer here about his work with the LOGO partition, and he said he bricked his phone, but recovered it by holding the power button, and then manually writing the correct LOGO partition using the 'dd' command.
I've contacted OnePlus support about this, so we should hear word back around Easter.

treChoy said:
As far as they've discovered on the thread, they've only really uncovered the workings of the splash screen. We know that fastboot is also affected by the LOGO partition, but we don't know how that ties in with the bootloader. The ColorOS LOGO.bin displays, "已進人fastboot..." when in fastboot mode, and the International LOGO.bin displays "Fastboot Mode" with the Cyanogen mascot.
One thing is for certain though: this is DANGEROUS. There's a very good possibility of bricking because of the LOGO partition's relationship with the bootloader. I was talking to another developer here about his work with the LOGO partition, and he said he bricked his phone, but recovered it by holding the power button, and then manually writing the correct LOGO partition using the 'dd' command.
I've contacted OnePlus support about this, so we should hear word back around Easter.
Click to expand...
Click to collapse
Hope OnePlus support team is open to this kind of mod...
As for the developer you mentioned, could you please ask him if he entered Qualcomm DLOAD mode and used some .hex file to boot the phone into mass-storage mode? I know when this (QHSUSB DLOAD device) shows up, the bootloader has already failed and this is the last recovering method of the phone. Seen it on my Xperia TX...
And the method mentioned in this thread will also work on CM's LOGO.bin, except for the 164xH issue.

updateing said:
Hope OnePlus support team is open to this kind of mod...
As for the developer you mentioned, could you please ask him if he entered Qualcomm DLOAD mode and used some .hex file to boot the phone into mass-storage mode? I know when this (QHSUSB DLOAD device) shows up, the bootloader has already failed and this is the last recovering method of the phone. Seen it on my Xperia TX...
And the method mentioned in this thread will also work on CM's LOGO.bin, except for the 164xH issue.
Click to expand...
Click to collapse
The developer is @demkantor . And I was wrong about how he unbricked his device. He said that after messing around with the LOGO partition, he got the dreaded "QHUSB_BULK" error, but after a few seconds, his OPO rebooted on his own. He had to 'dd' the regular LOGO partition to get his bootloader up and running. Original thread here: http://forum.xda-developers.com/oneplus-one/help/qhsusbbulk-help-t2848238

treChoy said:
The developer is @demkantor . And I was wrong about how he unbricked his device. He said that after messing around with the LOGO partition, he got the dreaded "QHUSB_BULK" error, but after a few seconds, his OPO rebooted on his own. He had to 'dd' the regular LOGO partition to get his bootloader up and running. Original thread here: http://forum.xda-developers.com/oneplus-one/help/qhsusbbulk-help-t2848238
Click to expand...
Click to collapse
I have once seen somewhere that you can find specific .hex file (e.g. MPRG8960.hex for MSM8960) to download into the phone by QPST Service Programming. Then the phone will boot into mass storage mode, where computer will recognize the phone as a removable disk drive. Now the whole internal storage is "mounted" on the computer and you can use dd to restore then.
(Google'd and it says only QHSUSB_DLOAD need the hex file. QHSUSB_BULK should be mounting the internal storage to computer automatically and dd will be available. Not sure about that. Example: http://forum.xda-developers.com/showthread.php?t=2582142&page=1)

yeah the header is 512 bytes. Now the images are all correct :victory:

Flashing a bad LOGO.bin did send me to the QHSUB_DLOAD mode and I tired rebooting holding down all three buttons. It did seem to work but after a bit it seemed to just boot on its own. Then I just used an adb shell to run dd commands to flash the proper .bin and all has been well since then
Still have been to busy with our newborn to look into anything deeper but between this thread and the one by @chillstep1998 and treChoy and other it looks to be all good!
Glad all is coming together on this end, keep up the great work all

dear thread creater.. i tell u what is that zeros after anything.
actualy android reads anything in block size.. like this
4,4,4,4,4.....
or 8,8,8,8,8.....
or 16,16,16,16...
or....
or...
or...
or 512,512,512,512...
or......
so.. if block size is 512 then it would read 512 bytes first..
now think what if there is only 50 or 51 bytes.. if will be a error.. if it has code to handle errors.. it is slow.
this is called alignment.. we say header is aligned to 512 bytes.
to make alignment it would add padding of NULLs(chr(0) in vb)
same nulls for the end of file to make it aligned to some size.
thank you.

m9j_cfALt said:
dear thread creater.. i tell u what is that zeros after anything.
actualy android reads anything in block size.. like this
4,4,4,4,4.....
or 8,8,8,8,8.....
or 16,16,16,16...
or....
or...
or...
or 512,512,512,512...
or......
so.. if block size is 512 then it would read 512 bytes first..
now think what if there is only 50 or 51 bytes.. if will be a error.. if it has code to handle errors.. it is slow.
this is called alignment.. we say header is aligned to 512 bytes.
to make alignment it would add padding of NULLs(chr(0) in vb)
same nulls for the end of file to make it aligned to some size.
thank you.
Click to expand...
Click to collapse
Thanks! I know there are some alignment rules, but didn't expect them to be here. I've seen aligning the whole file to 4 bytes or so, but little do I know that a section header needs alignment as well. I guess that's because this LOGO.bin is used in such a low-level "environment" that we don't have enough time & space to handle the non-aligned data. Am I right?

updateing said:
Thanks! I know there are some alignment rules, but didn't expect them to be here. I've seen aligning the whole file to 4 bytes or so, but little do I know that a section header needs alignment as well. I guess that's because this LOGO.bin is used in such a low-level "environment" that we don't have enough time & space to handle the non-aligned data. Am I right?
Click to expand...
Click to collapse
Hi man!
Do you know how change the battery animation when the phone is charging(when is off)?
I've tried to change the imgs in /res/images/charger, but you know, it doesn't work eheheh...
Can you help me?

Reive said:
Hi man!
Do you know how change the battery animation when the phone is charging(when is off)?
I've tried to change the imgs in /res/images/charger, but you know, it doesn't work eheheh...
Can you help me?
Click to expand...
Click to collapse
I don't have a OPO to test, all these analysis are theoretical. So I may not be able to help. Sorry...

How to remove Enterprise Enrolment from Acer C720 (and other chromebooks) [GUIDE]

Stuck with a enterprise managed Chromebook bought second hand and unable to remove it? Here is how to 'Remove Enterprise Enrollment' from Acer C720 Chromebook (and will work for others also)
The procedure is as follows (for a Acer C 720 Chromebook) however it is the exact same for most other models the only differing part is location of the read/write screw.
Step 1: Turn off Chromebook, unplug and remove all the screws from the base.
Step 2: Remove the base off and locate the read/write protection screw
Here it is on the C720 at location 7:
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Step 3: Screw the base on with one screw (because there is a pressure switch that won't let you start it up without having the base on)
Step 4: Plug in and go into Recovery mode (Hold Esc + Reload and press the power key). Release keys when you see the screen light up.
You'll see "Chrome OS is missing or damaged" screen
Step 5: Press Ctrl + D then enter
You'll see "Chrome OS verification is turned off"
Step 6: Press Ctrl + D and the CB will restart into developer mode.
Note: If it tells you administrator has disabled developer mode perform a hard reset by unplugging the battery internally in the device, disconnecting the power and holding down the power button for 60 seconds.
Step 7: Once in developer mode (it'll give you a warning screen then continue to boot up as usual after a few beeps) Press the keys Ctrl+Alt+-> (F2) to launch terminal
Step 8: Enter the following commands:
chronos
sudo su
vpd -l (display serial number and device info)
vpd -s “serial_number”=”0000000000X” (write serial #, can replace 0000000000X with anything you like) must be all CAPS and numbers.
(takes about 15 seconds)
vpd -l (to check change is successful as it doesn't give you any confirmation)
Step 9: Reassemble with all screws incl read/write. Reboot and turn OS verification back on.
Step 10: Enjoy your non enterprise enrolled C720 (or other) chromebook.
Step ?: (optional if you are getting error flashromPartialWrite() clean the contacts that were under the screw with isopropyl alcohol or meths to make sure there is no continuity between the points from wear.
** Note: I am not responsible for you damaging your device in any way **
If i've helped you in any way feel free to donate via the following button. Cheers

i need a little help i have the Samsung Google Chromebook XE303 XE303C12-A01U after trying to change the serial number when i go to check it with vpd -l it gives me the flashrompartialwrite() error. i checked and cleaned where the screw goes but i still get the error. is the screw supposed to be back in at this part of it? please help thank you

I get a login and password need help noob please

Smoker90 said:
i need a little help i have the Samsung Google Chromebook XE303 XE303C12-A01U after trying to change the serial number when i go to check it with vpd -l it gives me the flashrompartialwrite() error. i checked and cleaned where the screw goes but i still get the error. is the screw supposed to be back in at this part of it? please help thank you
Click to expand...
Click to collapse
I'm going to answer this a bit late in case anyone else has this question...
The R/W screw needs to be off until you are ready to put your laptop back together. (after all, you want to be able to write to bios and the screw in place will prevent this)

Doesn't work
hOW CAN YOU REMOVE THE ENTERPRISE ENROLLMENT FROM AN ACER C910

How do you do that on a c730
Version 5.4

Here I am in 2017 will be trying this on a c740 in the near future. Thank you for the guide

is this possible on a hp chromebook 11 g4, if so wher eis the read/write screw located?

I cant't get the administrator has disabled developer mode page. I have tried removing the battery as suggested and had no success.

Same!! Trying soo hard to find a solution

So, I have a Toshiba Chromebook 2. I found it has 2 screws for write protection. Removed them both, no change, I still get the developer mode disabled by the administrator message. Can`t do anything on it. Is there a custom OS I can install over the existing one so I can at least get developer mode enabled?

I have an Acer C731. I opened it up and tried to do a hard reset by unplugging the battery, with no luck. As soon as the Chromebook was connected to Wi-Fi it enrolled under administration. I also was not able to locate the R/W screw in this particular model. Help please?

jbywater said:
I have an Acer C731. I opened it up and tried to do a hard reset by unplugging the battery, with no luck. As soon as the Chromebook was connected to Wi-Fi it enrolled under administration. I also was not able to locate the R/W screw in this particular model. Help please?
Click to expand...
Click to collapse
The screw is located near the wifi card with a white arrow.

josuecas said:
The screw is located near the wifi card with a white arrow.
Click to expand...
Click to collapse
Yes on my Asus CN60 chromebox, the r/w screw is screwed onto the motherboard, onto a solder pad that is a semi-circle split into two quadrants. The presence of the screw joins the two quadrants to emulate a PC jumper in the closed position.
To open this jumper, simply undo the screw all the way out and keep it safe outside of the box. Once this is done, the boot SSD is r/w, which then allows the developer mode process be able to commit its changes to the boot device.
On my Asus CN60, I think I have cleared the Enterprise enrolement by having the two items present whilst doing the power on with Recovery Button pressed.
- R/W screw removed.
- CMOS battery CR-2025 unplugged.
I am going to keep trialing. If the above has not worked, I am going to try the OP's vpd -s “serial_number”=”0000000000X” method.
ASIDE: I am going to keep a note of the serial number I am overwriting in case this is of any future use.
The reason why I say I think I have removed the enterprise enrolement, is before, I could not login at all. Now, whilst in the developer mode, I can now login using my normal non enterprise login.
I have yet to boot into a normal non developer mode if possible, and see if I can login there.

I've bypassed enterprise enrollment so I can login and use the chromebook normally, but I wasn't able to locate the r/w screw so I can move forward with installing Linux.

RyanPieper said:
I've bypassed enterprise enrollment so I can login and use the chromebook normally, but I wasn't able to locate the r/w screw so I can move forward with installing Linux.
Click to expand...
Click to collapse
how did you go about getting past the "administrator has disabled developer mode" part, or did you have to? i am stuck on that part.

I have an HP Chromebook 14 G4 and followed the tutorial perfectly. I still can't get past the "The administrator has disabled developer mode" bs. Any help?

Request
Can you please make a guide on how to do this with an acer c740 with specifucs on how to do so if the administrator has disabled dev mode?

C732
How do I unenroll an acer C732 with dev mode blocked?

does this still work?

[GUIDE] How to unlock the bootloader of Nokia 4.2

WARNING!
THIS GUIDE REQUIRES DISASSEMBLY, SO YOU WILL DEFINITELY LOSE THE WARRANTY!
DO IT AT YOUR OWN RISK!
If you want to repost this guide to other websites, please let me know before you repost.
For Chinese users: 中文版教程将会在dospy发布。
Click to expand...
Click to collapse
UPDATE: I've updated the new tool for unlocking the phone without understanding how to utilize such long commands.
You can watch the demonstration here: https://youtu.be/whrFsn8h7A4
Click to expand...
Click to collapse
So after I got a Nokia 4.2 prototype by opportunity, I just found the theory of bootloader unlocking.
Tricking development options for allowing "OEM unlocking" no longer works on latest security update.
What you need to have:
- a Nokia 4.2 unit that you finished back cover and upper plastic shell removal
- tweezers, and probably a standard philips screwdriver
- QPST (use at least 2.7.474) or any other app that could access the EDL, and Qualcomm USB port drivers are installed
- Latest Google Platform Tools
- Full backup of your userdata
Step 1: Trigger the phone to EDL mode, then change the driver to "Qualcomm HS-USB QDLoader 9008"
Please take a look at the attachment below, about the location you need to use tweezers.
For Windows users:
If the driver is already indicated as "Qualcomm HS-USB QDLoader 9008", get to Step 2.
If the driver is indicated as either "QHSUSB__BULK" (For users who have installed Windows Device Recovery Tool before) or "Qualcomm HS-USB Diagnostics 9008", you must change the driver to "Qualcomm HS-USB QDLoader 9008".
After driver changed, you need to disconnect the phone, disconnect and reconnect the battery ribbon cable, then trigger the phone to EDL again.
I assume the COM port number is 8 (COM8).
Click to expand...
Click to collapse
Step 2: Write config partition
As we already know, config partition is also the frp partition.
You need to create a config partition image that has "OEM Unlocking" function enabled, which need to alter the last byte, then change the overall checksum to make the config file valid.
For your convenience, I've created one.
Now download and extract the attachment below.
Use QFIL included in QPST to load the firehose file. Choose "Flat Build" and choose the "prog_emmc_firehose_8937_ddr.mbn" you extracted from the attachment.
Choose "Tools" - "Partition Manager", then wait for the partition list appear.
As "Load Image" seems not reliable, we have to use command to write it manually.
For 64-bit Windows users, the command is:
Code:
"C:\Program Files (x86)\Qualcomm\QPST\bin\fh_loader.exe" --port=\\.\COM8 --search_path=D:\path\to\where\you\extracted\N32_N42_unlock --sendimage=config.img --start_sector=16583680 --lun=0 --noprompt --showpercentagecomplete --zlpawarehost=1 --memoryname=emmc
If you use 32-bit Windows, you need to remove the " (x86)" (within space, without quotes) in the command above.
Step 3: Trigger the phone back to fastboot mode
Now hold the Volume down key, keep the phone connected, close the partition manager, then your phone will exit EDL mode and enter Fastboot mode directly.
Now check the unlock ability:
Code:
fastboot flashing get_unlock_ability
Expected output:
Code:
get_unlock_ability: 1
Step 4: Unlock the bootloader!
And you can unlock the bootloader with familiar commands.
Code:
fastboot flashing unlock_critical
Confirm unlock on the phone, then keep the volume down key pressed while the phone is erasing userdata.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Your phone will boot to fastboot mode again, and then:
Code:
fastboot flashing unlock
Confirm unlock on the phone again.
All done, that's how the bootloader is unlocked. You can reassemble the phone.
But strange enough, you can't see any unlock warning.
I will release boot image dumping guide and root guide very soon.
Special thanks:
Wingtech for leaking prototype units

why must Nokia insist on locking their devices down so hard ??
great discovery, will definitely be useful once TWRP is released. just curious, but SafetyNet is tripped with this, right?

Great!
Damn Nokia

I don't even own this phone but I kinda want to weigh in, are we seriously at this point? No honestly, Android as a whole was basically were dev focused iOS is locked down to hell and back here's freedom. Google has the Nexus line made for developers companies embraced it I remember there being multiple Google play editions of phones that ran stock Android. I'm happy we as a community can keep this alive but damn are companies trying to make it difficult to do something I want to do to a device I paid for and own. Samsung you can't root (save for sampwn and samfail) LG locked down bootloaders and gimped fastboot on some models (fastboot seriously?) Nokia now requiring you to take apart the freaking phone to achieve this, I'm half asleep and can't think of any other major brands at the moment. It's a joke. (Above root methods were mainly for US variants and TMobile variants of LG) something has to change I know it won't and I understand the reasoning behind it security and such but still. Sorry for the rant congrats OP on what you did I consider it magic but it's more you accomplished something I could only wish I could do.

Will it be possible to do without disassembly? Just in theory, not now

kir23rus said:
Will it be possible to do without disassembly? Just in theory, not now
Click to expand...
Click to collapse
Unwise to say no with absolute certainly, but doubtful

kir23rus said:
Will it be possible to do without disassembly? Just in theory, not now
Click to expand...
Click to collapse
I think it will be possible.
There's a hidden command in aboot "fastboot reboot-emergency" but unusable, unless some sort of authentication is done or bootloader unlocked.
I still don't know how the authentication is done yet, but it's definitely not something that average developers can access to.
That's why disassembly is required for now.

Very interesting breakthrough. Great work
I'm facing the same bootloader unlock in my infinix hot s 3. I believe I can use your procedure to unlock my device. And if necessary how to make changes to the config file? I will be expecting your reply soon. Thanks

Is it possible to explain how the config.img file is altered ? It might not be difficult to alter the last byte , but what does it mean to Change the overall checksum ? I have been trying to do something similar for a while , it would be great if you answered here or via PM , thank you

awab228 said:
Is it possible to explain how the config.img file is altered ? It might not be difficult to alter the last byte , but what does it mean to Change the overall checksum ? I have been trying to do something similar for a while , it would be great if you answered here or via PM , thank you
Click to expand...
Click to collapse
Fill first 32 bytes with 0x00, then calculate SHA256 checksum and paste the new checksum as hex value at the first 32 bytes.

hikari_calyx said:
Fill first 32 bytes with 0x00, then calculate SHA256 checksum and paste the new checksum as hex value at the first 32 bytes.
Click to expand...
Click to collapse
Thank you for taking the time to explain, great help and great effort, the last byte should be altered to 1 ? Or 0 ?

awab228 said:
Thank you for taking the time to explain, great help and great effort, the last byte should be altered to 1 ? Or 0 ?
Click to expand...
Click to collapse
1 for allow, 0 for disallow

do you have any fastboot rom or rawxml rom for this device ??
mine always reboot in bootloader mode.

malkabhai said:
do you have any fastboot rom or rawxml rom for this device ??
mine always reboot in bootloader mode.
Click to expand...
Click to collapse
We have full OTA zip of it.
You can use payload dumper + img2simg to convert it to fastboot images. If recovery mode working (including unofficial TWRP), you can also reboot your phone to recovery mode to sideload it.
PAN-141B-0-00WW-B03-update.zip

I was able to use "OEM Unlocking" from developer options and after starting at step 3, to obtain a full unlock. After I was also able to fully root my phone using the normal guide. I am running the latest security update (October 5 2019). No idea why this worked for me...

Hello,
I've got the Nokia 3.2 16gb variant. I can get it into edl mode but it seems to be in Sahara mode. How can I put it into firehose mode? Because I can't load anything using qfil.
Any help?

Missing pads
Any idea where these pads could be now? That does not seem to be there anymore?

Missing testpoint pads
piteer1 said:
Any idea where these pads could be now? That does not seem to be there anymore?
Click to expand...
Click to collapse
I has the same problem. Thanks in advance.

I don't see those test point in my mobile

Hi, does this work for Nokia 6.1 plus TA-1083? or do you have any trick for this too?
I am able to load phone in EDL Mode by making EDL Points short.
Just in case you read my comment, I have a emmc problem post, if you can help -
https://forum.xda-developers.com/nokia-6-1-plus/help/nokia-6-1-plus-edl-mode-emmc-failure-t4114507